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(57) Abstract 



Proactive robust threshold schemes are presented for general "homomorphic-type" public key systems, as well as optimized systems for 
the RSA function. Proactive security employs dynamic memory refreshing and enables us to tolerate a "mobile adversary" that dynamically 
corrupts the components of the systems (perhaps all of them) as long as the number of corruptions (faults) is bounded within a time 
period. The systems are optimal-resilience. Namely they withstand any corruption of minority of servers at any time-period by an active 
(malicious) adversary (i.e., any subset less than half. Also disclosed are general optimal-resilience public key systems which are "robust 
threshold" schemes (against stationary adversary), and are extended to proactive" systems (against the mobile one). The added advantage 
of proactivization in practical situations is the fact that, in a long-lived threshold system, an adversary has a long time (e.g., years) to break 
into any / out of the / servers. In contrast, the adversary in a proactive systems has only a short period of time (e.g., a week) to break 
into any t servers. The model of mobile adversary seems to be crucial to such "long-lived" systems that are expected to span the secure 
network and electronic commerce infrastructure. 
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OPTIMAL-RESILIENCE , PROACTIVE , PUBLIC-KEY 
CRYPTOGRAPH I C SYSTEM AND METHOD 

FIELD OF THE INVENTION 

The invention relates to the field of electronic 
cryptographic systems and methods. More particularly, the 
invention relates to systems and methods for distributing a 
cryptographic service (e.g., electronic document signing) 
among a plurality of servers in a communication or. data 
processing network, 

BACKGROUND OF THE INVENTION 

Certain attempts at distributed cryptographic 
operation, such as signing and encrypting/decrypting, are 
known. However, no previous system enjoys efficiency of 
operation combined with high level of security and 
availability in a system that retains its security while any 
minority of distributed servers collude and stop, misbehave, 
and try to help in breaking the system's secret. Other 
attempts have been made to deal with various issues of 
threshold cryptography and mobile adversaries, although only a 
limited number discuss proactive function sharing. 

The notion of "proactive public-key" was addressed 
in A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung in; 
Proactive Secret Sharing, or: How to Cope with Perpetual 
Leakage, Advances in Cryptology - Crypto 95 Proceedings, 
Lecture Notes in Computer Science, Vol. 963, D. Coppersmith 
ed., Springer-Verlag, 1995, pp. 339-352 ("[HJKY]"). This 
implementation was based on "discrete logarithm" with 
exponentiation in a prime field (i.e., given the elements 
modulo a prime p, use a generator of GF(q) where g divides p - 
1) . This problem involves distributed computation over keys, 
and the keys in this case are taken from domains whose 
algebraic structure is public (a group of a known order) . 

A number of other theoretic references to making 
cryptographic mechanisms proactive include: R. Ostrovsky and 
M. Yung, How to Withstand Mobile Virus Attacks, Proc. of the 
10th ACM Symposium on the Principles in Distributed Computing, 
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1991, pp. 51-61 r[OY]"); R. Cannetti and A. Herzberg, On 
Maintaining Security in the Presence of Transient Faults, 
Advances in Cryptology, Proc. of Crypto '94 P[CH]"); A. 
Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, and M. Yung, 
Proactive Public Key and Signature Systems, The 4-th ACM Syrap. 
on Comp. and Comm. Security, April 1997 (" [HJJKY] ") ; Y. 
Frankel, P. Gemmel, P. MacKenzie and M. Yung, Proactive RSA, 
Tech Report Version SAND96-0856, Sandia National Laboratories, 
March 1996 (" [FGMY] ") . Each of the references cited above, 
and all other references cited below, are fully incorporated 
herein by reference. 

SUMMARY OF THE INVENTION 

The invention offers a general implementation of 
distributed cryptographic functions combined with a high level 
of availability of service, high efficiency of operation, and 
a high level of security. It is applicable to a variety of 
asymmetric- key cryptographic functions, such as digital 
signatures, encryption, escrow, authorization, etc. 

An object of the invention is to provide a 
cryptographic system and service that is distributed and 
optimal in tolerance of faulty distributed components. 

A further object is to provide an asymmetric-key 
cryptographic system and service employing a plurality of 
servers such that the system is available and remains secure 
as long as, within a time-period, some majority of the servers 
acts correctly. 

A further object is to provide an asymmetric-key 
cryptographic system and service having a set of protocols for 
distributing a cryptographic function. 

A further object is to provide an asymmetric-key 
cryptographic system and service capable renewing and 
recovering key shares. 

A further object is to provide an asymmetric-key 
cryptographic system and service having optimal resilience. 

A further object is to provide a robust 
cryptsystem. 
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These and other objects are achieved by providing a 
distributed cryptographic system and service including 
periodic reexpression of the basic cryptographic function. 
The reexpression may be to a different family of functions 
than the basic cryptographic function. Reexpression may 
utilize a "share of shares" method (e.g., "poly-to-sum" or 
"sum-to-poly") . These methods allow for proactivization, and 
for changing the threshold parameter from t-out-of-2 to t-out- 
of-t and vice versa. The methods further provide for changing 
t and I dynamically as a system management tool. Additional 
aspects of the invention provide for checking protocols to 
monitor individual servers of the distributed cryptographic 
system, thereby making the system robust. 

Techniques of the present invention can be applied 
to any system implementing a cryptographic function where: 1) 
the function has the property of share translation (i.e., 
fki (m) * fk2(m)= fki + kiim)); 2) one can compute inverses in the 
share space; and 3) the share space is simulatable (i.e., one 
can chose random elements in a simulatable space which is 
indistinguishable from choosing in the key space) . 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 illustrates a network environment that has 
available to it a distributed cryptographic service function 
or functions and that is suitable for embodying the present 
invention . 

Fig. 2 illustrates an exemplary request by a 
requesting node to the distributed system for a cryptographic 
service . 

Fig. 3 illustrates an exemplary distributed system 
for performing a cryptographic service. 

Fig. 4 illustrates generic communications within a 
distributed system for embodying present invention. 

Fig. 5 illustrates general phases of operation of a 
distributed system embodying the present invention. 

Fig. 6 illustrates a system of communicating 

servers . 
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Fig- 1 illustrates the re-expression of an RSA 

function . 

Fig. 8 illustrates a checking protocol for a robust 
cryptographic system. 

Fig, 9 illustrates an arrangement that provides an 
additional layer of protection in consideration of non- 
trusting entities. 

Fig. 10 illustrates reshuffling in a distributed 

system. 

Fig. 11 illustrates a distributed system having 
changes in the number of users and threshold. 

Fig. 12 illustrates the notion of sharing of a 
general homomorphic function. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Threshold cryptography in general, and function 
sharing for public-key functions in particular, has the spirit 
of secret sharing, where a secret is shared and is recoverable 
only from a threshold of shareholders. Function sharing 
provides for the availability of a keyed cryptographic 
function f k (') by distributing f k (') to a set of 1 servers such 
that, for any valid argument m f any set of at least a 
threshold of t out of the 1 servers can compute f k (m) . This 
increases the availability of function evaluation (typically a 
signature or a decryption function) . For security, an 
adversary who (1) controls less than a threshold of servers 
and (2) can hear all public messages obtains no computational 
advantage in computing f k {m') for a target message m' (as 
compared to an adversary attacking the centralized function 
f k {) with the same capabilities). Thus the function is 
protected by "space diffusion," because an attacker is forced 
to break the memory of more than a threshold t of the function 
shareholders. 

"Resilience" is a property describing the number of 
allowed compromised and misbehaving servers in a time period, 
which is a parameter here called t. An optimal t ("optimal 
resilience") means that the total number of servers is l>2(t - 
1) + 1. For this t, a majority of arbitrarily misbehaving 
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servers can "control" the computation . (even for a stationary 
adversary) . 

The notion of "proactive security" (against a mobile 
adversary) provides enhanced protection of memories of long- 
lived cryptographic keys that may be distributed (i.e., 
protected by "space diffusion"). Proactive security adds 
protection by "time diffusion" as well. Namely, given a 
distributed function via threshold cryptography (function 
sharing) as described above, it adds a periodic refreshing of 
the contents of the distributed servers 1 memories. This 
refreshing is a "t-wise re-randomization" of the local 
servers' values in a way that preserves the global key, but 
makes previous contents of any set of less than t out of the 1 
servers "useless". This renders useless the knowledge of the 
mobile adversary (e.g., hackers, viruses, bad administrators, 
etc.) obtained in the past from compromising less than the 
allowed t servers, and gives the system a self-securing 
nature. 

The proactive systems for cryptographic functions 
inherit the availability of function-sharing by allowing any 
subset of servers of size t to compute the underlying 
function, thereby preventing a small set of faulty servers 
from disrupting availability. Proactive systems also can use 
robustness- techniques to enhance availability of threshold 
cryptosystems by tolerating (detecting or correcting) 
malicious servers who are actively attacking the availability 
of the system. Moreover, proactive security enhances 
robustness, because it also provides for recovery of servers' 
memories that were previously corrupted by an adversary or by 
non-malicious faults. This gives the system a self-healing 
nature . 

As a result, the system can tolerate a "mobile 
adversary" which is allowed to potentially move among servers 
over time, with the limitation that it can only control up to 
t - 1 servers during a particular time interval. The 
adversary may even eventually visit the entire system (under 
the above restriction) . Nevertheless, the system self-heals 
from erasures and corruption of memories by the adversary, and 
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self-secures against the adversary's actions. This is a 
stronger adversary than a stationary one (which corrupts 
servers in a monotone fashion) . 

Fig. 1 illustrates a network environment that has 
available to it a cryptographic service function or functions 
and that is suitable for embodying the present invention. The 
network 101 includes multiple nodes 103 interconnected by 
communications paths 105. A distributed system 107 also 
connects to the network 101 through communication paths 109. 
It will be appreciated that many configurations of nodes 103 
and connection paths 109 would be suitable. 

Fig. 2 illustrates an exemplary request by a 
requesting node 111 to the distributed system 107 for a 
cryptographic service. As illustrated, a single requesting 
node 111 provides an input communication 113 to the 
distributed system 107. The distributed system 107 performs 
the cryptographic service, and returns an output communication 
115. It will be appreciated that many variations in the 
manner of presentation of a request and return of a result 
would be suitable. For example, it is not required that a 
single requesting node 111 present a complete request in a 
single input communication 113 , or that the output be returned 
to the requesting node 111 in a single output communication 
115. Many protocols would be suitable, and could include a 
variety of administrative interactions, such as verification 
by the distributed system 107 of the identity of the 
requesting node 111, confirmation of payment for the service, 
etc. 

Fig. 3 illustrates an exemplary distributed system 
107 for performing a cryptographic service. Multiple agents 
121 each participate in performing the cryptographic service 
in a distributed manner. For simplicity of illustration, all 
agents are given the same reference numeral, even though each 
might perform different functions in the course of providing a 
cryptographic service as discussed more fully below. An input 
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processor 123 receives an input communications 113 from a 
requesting network entity (not shown) , and provides all of the 
agents 121 with information relating to the particular . 
cryptographic service request. An output processor 125 
receives and combines partial -result information from each of 
the agents 121, and provides an output communication 115 to 
the requesting network entity (not shown) . The input 
processor 123 and output processor 125 can provide a layer of 
security as a so-called "firewall" between the network (not 
shown) and the agents 121, and can further assume additional 
administrative tasks. 

Many cryptographic services involve the application 
of an asymetric cryptographic key to input information. For 
example, if the cryptographic service is digital signing of 
electronic documents, the distributed system would generate a 
single signature for the document on behalf of the distributed 
system as a whole. In a public key cryptosystem, such a 
signature would correspond to the application of a secret 
signature key to a message. A signature recipient could 
verify the signature by using a public verification key that 
corresponds to the secret signature key. 

In the distributed system 107, the secret signature 
key does not exist as a single key in a single location. 
Instead, a key distributor (sometimes called a "dealer") 127 
distributes key shares to each of the agents 121. Each agent 
121 applies its individual key share to an input, and the 
collective operation of multiple agents 121 would produce a 
single signature that can be verified by a single public 
verification key. However, no single agent possesses 
sufficient information to generate the signature by itself. 
Agents can also be referred to as "shareholders," in the sense 
that each agent holds a share of the key. 

For the purpose of the illustration of Fig. 3, heavy 
lines with arrows at both ends designate a plurality of 
communication paths to all agents. Light lines without arrows 
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designate individual communication lines among agents. Each 
agent 121 can communicate with every other agent 121, with the 
key distributor 127, with the input processor 123, and with 
the output processor 125. It is preferred that no agent 121 
be accessible to the network (not shown) , except through the 
input processor 123 and output processor 125. 

It will be appreciated that the methods of the 
present invention will be practicable in a variety of 
alternate configurations. For example, a single computer 
server could function both as an input processor 123 and an 
output processor 125. It is also possible (though not 
preferred) for a designated one or ones of the agents 121 to 
act as an input processor, or an output processor, or both. 
It is possible (though not preferred) for one of the agents to 
perform the key distribution function, rather than to rely on 
a separate key distributor 127. Alternatively, the agents 
might generate key shares in a distributed manner, in which 
case the key distributor 127 or one or more of the agents 121 
could serve as an administrative coordinator for the key 
distribution process. 

As will be discussed more fully below, the 
distributed system 107 can provide a cryptographic service 
using fewer than all agents 121. Fig. 4 illustrates generic 
communications within the distributed system 107 when three 
agents 131, 133 and 135 participate in providing the service. 
Two other agents 132, 134 do not actively participate in 
generating the output. In this illustration, the input 
processor 123 provides a message M to all five agents 131, 
132, 133, 134, 135. Two of the five agents 132, 134 take no 
action, either because of an instruction from the input 
processor 123, or by some other signaling means. For example, 
the message itself could designate, or be associated with a 
header that designates, which particular ones of the agents 
are to participate in the service. Depending on the protocol 
used, as many as all of the processor can act, though only a 
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subset are used for the final computation. The three active 
agents 131, 133, 135 each apply their respective key shares to 
generate partial results 137. The output processor 125 
receives the partial results 137 and combines them into an 
output F k (M) , which in turn is communicated to the requesting 
node of the network (not shown) . 

Fig. 5 illustrates general phases of operation of 
the distributed system. In a setup phase 141, the key 
distributor distributes key shares to agents of the 
distributed system. In a function application phase 143, 
agents apply their respective key shares to inputs, and 
provide partial results to the output processor. In an update 
phase 145, members of the distributed system periodically take 
a variety of actions to maintain system security and to 
recover from passive failures and/or active attempts to 
corrupt the system. After the update phase 145, the 
distributed returns to providing cryptographic services in the 
function application phase 143. 

Poly and Sums 

A secret or a function may be shared via a system of 
mathematical equations, so as to enable subsets of users ot a 
quorum of users to be able to apply their shares to get 
partial results that are then combined and computed upon to 
produce the final result. The final result on the given input 
is equal to the final result of the function which is re- 
expressed by the shares. The discussion below will 
concentrate on one representation of functions that are re- 
expressed as distributed shares, which are points on a 
polynomial (which we call sharing by "poly") . Other 
approaches are possible as in the use of finite geometry with 
hyperplanes . 

A secret or a function may be shared so that all 
shares are needed and all shares are applied to get partial 
results that are then combined. We concentrate on combining 
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through addition, and therefore call this sharing: sharing by 
"sum." 

A Secure Robust Threshold RSA 

Described below is a threshold RSA scheme suitable 
for use in a distributed system as described above, but for 
which the security is not known. Then, the threshold scheme 
will be modified to be an RSA threshold scheme which is as 
secure as RSA under the stationary (non-mobile) adversary 
model. The basic idea of this example is to use the Shamir 
threshold scheme where inverse computations are easy. 

RSA is generated by the dealer with a public key 
(e, n) and a private key d. Let H = gcd (e,L) and using the 
extended Euclidean algorithm compute P,s' such 1 = eP + £ s\ 
Note that rfs P+ Lk' mod 9(n) where k* s ds' H' 1 mod 8(h). This 
is computable since H~ l exists because e must be invertible. A 
random polynomial r(xf of degree t - 1 with coefficients in {O, 
L,... 9 L3tC) , where C is poly(n) , is chosen such that r(/+i) = 
L*k'e Z. (The t factor in the coefficients is used for the 
proactive scheme and can be set to 1 for the static threshold 
RSA without proactivization. ) Let P be made public (i.e., 
part of each share holder's key). Next, shadowholder /with 
public interpolation points x$ = i receives secretly shadow 
St=r(Xi) € Z. Note, that the share is a multiple of L. Now, 
let A where | A \-t be any subset of shareholders, observe: 
d = P + £ Si • z i A e Z where z i A = {"[ (xi - x v J-*(/+ 1 - 

ieA ' veAWi/ 

*r>. (1) 

Since L divides 5/ and \\ v6Aui /Xj - x„ is a 
multiple of L, the terms in the above sum can be computed 
effectively over the integers from 5/ (without inverses in the 
group) . Hence to generate a signature for message m, each 
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ieA gives partial results tt aiZi ' A mod n, and a combining 
function computes in* mod n and the final desired result: m d s 

**** * n ,eA /T,5jZ: ' A moc * The above scheme is arithmetic-wise 
analogous to the systems in Y. Desmedt and Y . Frankel, shared 
Generation of Authenticators and Signatures, Advances in 
Crypt ology Crypto 89 Proceedings, Lecture Notes in Computer 
Science, Vol. 435, G. Brassard ed. , Springer Verlag, 1989, pp. 
307-315 (" [DF91]") (which was designed for strong primes), the 
analogy is by distributing shares as s$/L using interpolation 
point /+l rather than 0 as the secret location and therefore 
choosing % slightly different. 



Shares of Shares (Poly to Sum) 

Now is discussed a t-out of-t share (poly to sum) 
protocol . this is a protocol among t servers which transforms 
a t-out-of-I polynomial based sharing scheme to a t-out-of-t 
additive sharing scheme. It extends the scheme in [FGMY] 
which transforms a t-out-of-t sharing by sum to another t-out- 
of-t sharing by sum. This poly to sum protocol provides for 
randomization of the current state which converts the above 
(or [DF91] ) to a secure system as discussed below in the 
section entitled "A Secure Threshold RSA Scheme." This 
randomization is also designed specifically to allow for 
robustness in the section below entitled "Robust Threshold RSA 
Scheme . " 

Fig. 6 illustrates a system of communicating servers 
401, 403, 405, 407 and 409 which perform poly to sum for a 3 
out of 5 sharing of the secret RSA key configuration. The 
secret RSA key is distributed using, for instance as in 
[DF91] , a polynomial approach to sharing in which server 401 
has share s lt server 403 has share s 2 , server 405 has share s 3 , 
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server 407 has share s 4t and server 409 has share s s . The 
poly- to- sum protocol enables any 3 of the servers to convert 
their respective shares for a 3 out of 1 system into a 3 out 
of 3 system. As denoted over time after the poly to sum 
protocol is performed, server 401 with share Sj obtains share 
s/, server 405 with share s 3 obtains share s 3 ' , and server 407 
with share s 4 obtains share s 4 ' . The new shares s x ' , s 3 ', s 4 ' 
are obtained from a distributed protocol amongst the servers 
in the 3 out of 3 reconfiguration. The arrows in Fig. 6, 
denote that relationship of the new shares to the old shares. 
For example, server 401 obtains share Sj' by a protocol whose 
result has a relationship to s x , s 3 , and s 4 , as depicted in 
Fig. 6. 

Fig. 7 illustrates the re-expression of an RSA 
function. The 3 out of 3 system configuration with servers 
301, 303 and 305 depicts an additive three out of three 
sharing which can be performed after the poly to sum protocol 
is performed. That is, the keyed RSA function 309 is re- 
expressed into a protocol in which 301, 303, 305 working with 
server 307 can compute the same function evaluation of the 
keyed RSA as in 309. Let dl+d2+d3 a d mod Q(n) f let server 301 
have share dl, let server 303 have share d2 and let server 305 
have share d3. As depicted, each of the servers 301, 303 and 
305 can compute A^mod n using their respective share, the 
input M, and the public composite n when working with 307. It 
is possible to allow server 307 to be server 301, 303 and/or 
305. 

To relate servers 401, 405 and 407 (Figure 6) to 
servers 301, 303 and 305 (Figure 7), after the poly to sum 
protocol, the configuration could be: server 401 depicted as 
server 301; 405 depicted as server 303; and server 407 
depicted as 305. Moreover, share s 2 ' is replaced by dl, share 
s 2 ' is replaced by d2, and share s 3 ' is replaced by d3 in Fig. 
7. System implementation can be as follows. 
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Setup: We assume that the dealer, during share distribution, 

publishes elements g,g x 6 % n of maximal order, and it 

publishes Si = g Si ' L~ mod n for all i. Let A where |A| = t be 
the shareholders (servers) participating in the share of 
shares protocol . Servers choose a leader serve i ' . 

Sharing shares: Server i: 

Generates: ivy € R { 0 , 1, .' . . , in-l) } f or J e A\{/}. 

• Set self-held share to be: ri,i = Si*z JyA -^] jeAui} r itj eZ . 

• Privately transmit over the public channel using 
probabilistic encryption (an act which also publicly 

i 

commits to the message) r it ^Z and r ifj ^ {0,.,.,n-l} 
to server j. 

I'D J-i.j T-r _ 

• Publish R itj a 7 9 X and U t s g[*J . 

Verify and generate shares: Let r i# ^o and r itjt o be the 
commitment values that j received privately from i. This 
verifies that one received the correct committed values, 
shares are of correct size, and algebraic relations between 
various committed values show correctness of interaction. 

1. Each server j verifies that for all ieA\{J): 
? 

x v ) and V : = ( Xi -x v ) . 

If the verification does not pass, then server i is 
removed and new A is chosen. 
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9 

9 rl 



• ■ \ njt o\ZB-l, and g g < ~ ^ 

If verifications are disputed by j then rj,j,o and 

ri t ^o is revealed (decommited) , and either i or j is removed 
appropriately. Protocol is halted. 

The first verification (on the magnitude of ri f j f o) 
is used to prevent an attack in which the adversary sends very 
large values so that the shareholder can not compute 
efficiently. Different techniques can be used such as the 

size of packets (fields) which transmit r ifj ,o may be of a fixed 
size but large enough. 

2. If all verifications pass f shadowholder 1 s j e A new 
shadow is 5) = - r" + £, eA n.j.o such that L divides S j and 0 < 
rj < X. 

3. Shareholder j publishes r" and &-I~I veA £f rJ '°* 

Note that any attempt to spoil the computations 
forces an adversarial server to be removed. When the protocol 
is used in an environment when / > 2(f-l)+l servers, we can 
revise the set A to a new set of t shareholders and redo the 
set of shareholders from start. 

Remark: splitting the shares in step 2 above is not 
necessary at this point, but will be used in the proactive 
extension discussed below. 

A SECURE THRESHOLD RSA SCHEME 

Discussed here is a secure threshold RSA protocol. 
As stated above in the section titled, "A Heuristic Threshold 
RSA Scheme f " it is not known how to prove the security of the 
hueristic RSA thresold cryptosystem in the static adversary 
model. The problem is proving security when the subsets of 
signers change from message to message which makes its 
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security only a heuristic. To get a provably secure protocol, 
the approach is to dynamically convert the singing shares of 
the current set of t shareholders employing the poly to sum 
technique above. Then the signing is done using the shares of 
the sum. "Dynamically converting" here means that any new set 
of t shareholders have to go through the above poly to sum 
technique prior to singing. This will make partial views 
available to the adversary random and independent, and will 
permit one to "simulate" the adversary's view. By 
demonstrating that one can simulate the view, one can give a 
proof of security as follows. 

Step 0 (Setup) : The share distribution protocol of the 
section titled, "A Heuristic Threshold RSA Scheme" is 
performed, and encryption keys for each server are 
distributed. It is assumed that the dealer during setup 

publishes elements g,gi€Z, t of maximal order where gi=g* for a 
relatively prime to 0 (n) , (the elements can be part of each 

•r 2 

server's key). Sr = g SiL mod n for all i is made public as 
well . 

Step 1 (Poly to Sum): Perform the poly to sum (share-of- 
shares) protocol of the section above entitled "Share of 
Shares (Poly to Sum)" ("Poly to Sum") until a set of t servers 
which successfully complete the poly to sum protocol without 

disputes is found. Let A be the t servers which successfully 
completed the protocol . 

Step 2 (Signing) : To sign for each input message m, each 
server in A broadcasts partial result Smjji = m mod n where 
Si is from "Poly to Sum." Observe that m d s up™ • T~T Smis 




mod n, where W = £^ r, , which can be easily computed by the 
publicly available combining function. Shareholders in A can 





M 
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now sign as many messages as they desire using the s' shares 
they obtained in the poly to sum protocol without performing 
the poly to sum conversion again. As a performance 
optimization note that a server can keep in its cache 
polynomially many shares for different A *s. 

EMPLOYING A CHECKING PROTOCOL TO ASSURE ROBUSTNESS IN THE 
RESILIENT DISTRIBUTED CRYPTOGRAPHIC FUNCTION SERVER. 

In the distributed cryptographic service, we may 
want to assure integrity of the partial results. To this end, 
the units may engage in a checking protocol between a unit and 
the output process. As a result of this protocol the output 
process can decide which partial result is correct and which 
to discard, i.e. it performs an error-detection and 
elimination process. Given the remaining correct partial 
results, the output process can combine and compute the final 
result . 

As an alternative to error detection and elimination, the 
output process may apply an error correction procedure that 
computes with correct and incorrect pieces, but as long as 
there is a quorum of correct partial results, the final result 
is correct. This assures that the robustness is maintained 
even in a system where some components may fail (hardware or 
software failures) . Note that input and output processes need 
to be replicated in high availability system in an environment 
where components may fail. 

Fig. 8 illustrates a checking protocol for a robust 
cryptographic system. As depicted in the 3 out of 3 
configuration, the three servers 421, 423, and 425 in 
combination with the combining function 427 are performing a 
protocol. (The combining function 427 may be shared in 
another server, such as 421, 423, 425 and/or other servers.) 
The verification protocol for 421' s partial result is 
performed via the interactions 421 has with 423, 425 and 427 
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as depicted by 429. An exemplary verification for an RSA 
scheme is discussed below. 



ROBUST THRESHOLD RSA SCHEME 

The scheme described above in the section titled, "A 
Secure Threshold RSA Scheme," is secure but it is not robust. 
A subset of size t may include a misbehaving party during 
signing, and a new subset will have to be considered. 
Robustness provides for efficient verification of a 
shareholder's computation. The secure threshold RSA protocol 
can be made robust as discussed below. 

Setup: Let Verifier be the entity that computes the efficient 
combining function to obtain xn rf mod n from the output of the 

shareholders. Let s) be server i's share generated from the 
share of share protocol in the section above titled, "Shares 

J-L 2 

of Shares (Poly to Sum) , " and let witness Si 55 IT = 

<T1 . Rvi )•/(<?/ g 1 )mod n be generated using public 
information provided in "Shares of Shares {Poly to Sum)." 

Verify partial result: One can use a technqiue from Y. 
Frankel, P. Gemmel and M. Yung, "Witness Based Cryptographic 
Program Checking and Robust Function Sharing, " Proceedings of 
the 28th Annual Symposium on Theory of Computing, ACM, 1996, 
pp. 499-508 ( " [FGY] " ) , or for super-safe prime RSA, one can 
use a technique from R. Genaro, S. Jarecki, H. Krawczyk, T. 
Rabin, "Robust Threshold RSA, Advances in Cryptology -- Crypto 
96 Proceedings," Lecture Notes in Computer Science, Vol. 1109, 
N. Koblitz ed., Springer- Verlag, 1996, pp. 157-172, 
( " [GJKR2] " ) . There are known random elements (generators of 
subgroups) gi and the result of the shareholder's function 
applied to them (which are called "witnesses"). For simplicity 
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of presentation one can assume one such generator gr of a 
maximal order. (Alternatively, one may use a number of random 
generators that are exponentiated separately and then are 
multiplied together with the message to create a checker 
data.) The protocol goes as follows: 

1. The Verifier gives to shadowholder i; the message m 
and checker M = xm°g* x mod n for q Q , q x e R {o , . . . , n-l} . 

2. The Verifier proves (e.g., in a two round protocol 
of [FGY] ) that it knows the elements 9 0 r9i* 

s\ 

.3 . Shadowholder returns partial result Smj^ = *** "tod n 
and H = flr 3 ' mod n. 

4. Let sIua * & be received by Verifier. Then 
Verifier verifies that 

(H*) = ( sIja ) 1,2 * g ° ( Si ) q] mod n. If the test 
fails, then an error is detected. 

An implementation which is a combined protocol 
which comprises of initial setup of shares distributed with 
published witnesses. The protocol of the section above titled 
"A Secure Threshold RSA Protocol," running with "Verification 
of Partial Results" as above, is a "robust threshold RSA" 
which: (1) is optimal -resilience, and (2) has small permanent 
share size of the order of the size of the secret. 

EMPLOYING A UNIT INTEGRITY FUNCTION WITHIN THE RESILIENT 
DISTRIBUTED CRYPTOGRAPHIC FUNCTION SERVER 

Applications of the distributed cryptographic 
service of high resilience may be a sharing of a key by 
different organizations, with each organization holding a key 
share. Each organization may belong to a different country or 
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to a different business entity, which makes the unit mutually 
distrustful. Fig. 9 illustrates an arrangement for a 
shareholder that provides an additional layer of protection in 
consideration of non- trusting entities. Item 451 designates a 
shareholder as an organization, while items 453 and 455 
designate equipment units used by the organization 451. A 
measure of distrust arises, for example, when the source that 
built and/or designed the secret share holding/computing unit 
455 is not be entity 451. Therefore, there is a mutual 
distrust between the builder/designer of unit 455 and the user 
organization 451. 

In this case each shareholder organization 451 
entrusts its share to unit 455, but also relies on a second 
unit 453 whose task is assuring the integrity of unit 453. 
This unit -integrity unit 453 will work with the computing unit 
455 to, e.g., (1) supply the computing unit 455 with random 
bits for computation, (2) engage in an "interactive checking 
protocol" to assure robustness and correctness of the result, 
and (3) prevent leakage of information out of the computing 
unit to the network 457. The integrity unit 453 will provide 
assurance not only that the correct output was presented by 
455, but also that there are no subliminal channels, timing 
channels or other forms of covert channels. Other protection 
mechanisms may be enforced by the firewall as defined by 
policies. This provides a firewall protection for each of the 
units . 

SMALL -SHARE ROBUST THRESHOLD RSA 

Part of the reason that the above scheme has large 
shares is due to the need to have shares of a specific form to 
allow for proactivization. When proactivization is not 
needed, a secure threshold RSA scheme exists where shares are 
of the order of the RSA key. A "size efficient secure RSA 
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function sharing" exists where a permanent share is only a 
small constant times the secret's size. 

To implement this, let r(x) be as in the section 
above entitled "A heuristic threshold RSA scheme." Distribute 
shares as S/ s (r{I) /L) mod 0 (n) which is possible since L 
divides r(i) in the integers. For the shares held after the 

poly to sum protocol, only S/S, z i#A /^»©i/(X/J^ /( (Xt-Xj) ) must 

be stored and gcd(L, I~[ /eM(/| (Xt-xj) ) made publicly available to 
server. 

All exponentiations are computed first with s/ and 

then raised by gcd(L, ixj-Xj) ) . Observe that the user 

must also possess a decryption key for the private 
computations . 

SECURE PROACTIVE RSA 

In order to protect against a mobile adversary, the 
shareholders reshuffle (re -randomize) their shares. If the 
adversary has access to the memory of a server at some point 
in time, and later the adversary is removed from the server, 
that past information is useless to the adversary .after an 
update period. Figure 10 illustrates reshuffling in a 
distributed system. A system of 5 servers 361, 363, 365, 367 
and 369 have shares s itj which change as the time period 
changes. For instance, server 361 has share s ltl at time 
period 1, s 1#2 at time period 2, and s lt3 at time period 3. 
The combining function 371 is not affected during the time 
periods but it is acceptable that a different server function 
as 371 within a single time period and between several time 
periods . 

Discussed here is a secure proactive RSA protocol 
where in this variant of the implementation shares are 
refreshed. 
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SHARE DISTRIBUTION (SETUP) : This is a setup as in the robust 
threshold RSA in the section "Robust Threshold RSA Scheme." 
The dealer generates an RSA with public key (e,n) and private 
key d. It then generates shares s it0 of L* K' as in the section 
titled "A Heuristic Threshold RSA Scheme." The dealer also 

publishes {g,g*} for a ge Z* of maximal order and for all i 
the value *> mod n (if we employ more generators, it 

publishes this value with respect to each of them) . 

UPDATE PERIOD: Let U<- U +1. 

SHARE RENEWAL AND RECOVERY ; The intent is to make shares at 
time u + i be t-wise independent of shares held at time u. A 
"poly to sum" share of shares protocol is performed to create 

a t-out-of-t sharing of L* K' = W + 5 \ where W is a 

public value dividing L. Now the shares are additively 
shared, then subject to a "sum to poly" share of share 

operation. Namely, each serve i shares its s] (and the 
resulting public value W as well) with all servers j using the 
Shamir threshold scheme. Each of the 1 shareholders now sums 

up all the poly shares of each of the t shadows s] , generated 
by A. Hence each shadow holder will have a share of L* k' . 

The protocol updates all user's shares. Hence, whether 
old shares exist (renewal) or do not exist (recovery) is 
irrelevant, since the newly dealt share becomes the mechanism 
by which signing is performed. The following is done: 

1. Perform the "poly to sum" share of shares protocol 
(Section "Shares of Shares (Poly to Sum)") with shares 
from time u - 1, , until a set of t shadowholders 
defined by A have no dispute and agree to shares their 

respective s] and the public W. 

2. Perform the following "sum to poly" share of share 
protocol (the goal is to randomly re -share the value as 
the value of a polynomial in location 1 + 1) : 
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(a) Each i e A shares its Si (the lowest numbered 
member also shares the public w in its share, i.e., 

si <- for smallest / € A). The sharing is 

done by generating a random polynomial r" (at) of 
degree t - 1 with coefficients in {0, L,...,LC}, 
where C is as in the section titled "A Heuristic 

Threshold RSA Scheme." and then computes r] ix) = 

r, (x) - r,- + j/, = 2jr»o a '* >:cV ' a P ol y nomial to 

share n (/+ 1) + 5/ in which L divides all shares. 

(b) Server / e A then publishes all the g**'" L and 

privately transmits w itj = r] (J) € ^for / € 
{1 /}. 

(c) Each server j verifies: 

• Similar to [F] verify (proper share) : 

9 

w i(J L 2 L J 

? s ILo ( ^ ai - v } mod n 



verify (proper secret) : g Si ^ 



r'-l 



s FILo tST a ''*' mo< * n ' w ^ere witness 

gj/ " L 2 = ]^ >eA /J^ mod n is generated from public 

values in Section "Shares of Shares (poly to 
sum)", (except for the server with lowest index 

AM? 

which must multiply by q ) . 



• verify correct form: L divides w itj 

(d) Then dispute resolution is performed. Detected 

faulty and corrupted system components (servers) are 
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rebooted and the share renewal process continues 
from the beginning until there are no disputes. 

(e) Now s ilU = Xj e \ w .ti- Erase previous history and 

St tU ' Li 

retain new current shadow Si, u . The gr are 
published using the multiplication mod n of 

3. The common "public" constants (such as the system size 1, 
the public part of the key P, and the value of the 
generators ) that are maintained proactively by a simple 
memory "refresh" procedure: each server sends to each 
server its current value and then the majority value 
becomes the new permanent value. 



The size of the w ipj is sent via packets (fields) 

which are of fixed size large enough in order to prevent an 
attack in which the adversary sends such large shares that the 
shareholder can not compute with efficiently. 

RSA FUNCTION APPLICATION: Let time be u. Performed exactly 
as the secure threshold RSA in Section entitled "A secure 

threshold RSA scheme" with shadow $ IU if robustness is not 
required, otherwise perform the computation with verification 
as in the protocol of the section entitled "Robust Threshold 
RSA Scheme. " 

Dynamic Management Function Sharing 

The embodiment can serve other purposes . The above 
method is a very flexible transformation going from t-out-of-I 
to additive sharing t-out-of-t and back. One can, when going 
back, change the sharing threshold and increase the number of 
servers and have, say t'-out-of-l' (assuming, of course that 
at most t' - 1 if t' < t can be corrupted at the update). 
Also, one can decrease the number of servers in a similar way 
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and under analogous assumptions about corrupted servers. This 
demonstrates the strength of this flexible technique. 

The system can change in multiple ways with respect 
to dynamic management: no change, add user/same threshold, add 
user/decrease threshold, add user/increase threshold, delete 
user/same threshold, delete user/decrease threshold and delete 
user/increase threshold. Figure 11 illustrates a distributed 
system having changes in the number of users and threshold. 
In a system initially consisting of a 3 out of 5 system with 
servers 401, 403, 405, 407 and 409, an "add user/increase 
threshold dynamic management" operation is performed to 
include server 411. After the "add user/increase threshold 
dynamic management" operation, the system is a 4 out of 6 
system. As also depicted Fig. 11, if the delete user/same 
threshold dynamic management system is performed server 409 is 
removed and the system becomes a 4 out of 5 system. 

A Note: against an adversary that is only curious 
but does not affect memories of servers, namely it is not 
disruptive (malicious) , one can have polynomial of larger 
degrees t even when t > n/2 when one is sure that t servers 
are always available (since the adversary only reads 
memories), and the adversary can control at most t - l of* them 
at any period. 

3.9 A Generalized Embodiment of Proactive System 

Fig. 12 illustrates the notion of sharing of a 
general homomorphic function. The function F depicted as 421 
accepts as input a message M and a secret key k, then given 
these two input values, returns result F k (M) . The pro-active 
system re-expresses 421 (which is keyed with the secret k) by 
introducing servers 423, 425, 427, 429, 431 and 433. The 
illustrated system is a 3 out of 5 system, in which any 3 of 
the servers chosen from 423, 425, 427, 429 and 431 can work 
together with 433 in order to generate the value F k {m) in a 
distributed fashion. 
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Discussed below is a generalization of the. previous 
embodiment from an RSA system to a generalized set of 
functions which are called trapdoor permutation. A trapdoor 
permutation family were introduced by W. Diffie, and M. 
Hellman, New Directions in Cryptography, IEEE Trans, on 
Information Theory, 22 (6), 1976 ( " [DH] " ) and are discussed 
below. 

Definition 1: A trapdoor permutation family 7a consists of a 
polynomial time generator G that, when given an input l h (h the 
security parameter) returns (WLOG) a randomly drawn tuple 
consisting of two h bit strings (pu,se) where pu is a public 
key and se is the secret key. The keys define permutations, 
f pu (')and f se (-), over the sample-able message space Z> pu such that 
f se (0is the inverse function for f pu (-)and given pu(se) applying 
fpu(*) (<f se (0) is polynomial time. 

Finding inverses of random values of a randomly 
chosen permutation without having the secret key se is hard. 
That is, for all probabilistic polynomial time algorithms A, 
for any polynomial poly(0, for all h large enough: 

P[f P a(Vi)=W: (pu,se) <-G(l A ) ;*r€ R {0,l)*;U<^A(l*,pu,ttf )< 1 ^ ) . 

Recall that, P[x:e x ; ~, e^} is the standard notation 
for the probability of predicated x after the events ei occur 
(are executed) sequentially. 

SUFFICIENT CONDITIONS 

The following are sufficient conditions for the 
permutation. The notion of share -translation condition below 
provides sufficient algebraic properties to assure that a 
function is share-able. 
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Definition 2 (Share-Translation) : Let the secret key be se = 
k. A trapdoor (hard to compute) permutation f*(*)is share- 
translate-able when: 1) there exists an Abelian share space 
group *:„(+) where k € K„, 2) there exists a polynomial time 
"mapping" f : X m . XV pu -> Z> pu such that f\ = £ k , 3) the 
probability that f is not defined for one or more randomly 
chosen poly(h) elements in Z> pu is negligible, and 4) there 
exists an associated binary operation for the set Z> p „ such 
that (a)* f' (a)*f k} . ki (a) for any kl, k2 e and and a 

A family of trapdoor permutations 7h is "share- 
translate-able if almost all elements in it are share- 
translate-able. " A sufficient condition such that all of the 
operations in a function sharing primitive are computable in 
polynomial time in the security parameter was defined in A De 
Santis, Y. Desmedt, Y. Frankel, and M. Yung, How to Share a 
Function Securely, ACM Proceedings of the 26th Annual 
Symposium on Theory of Computing, ACM, 1994, pp. 522-533 
( " [DDFY] " ) , and can be stated as follows. 

Definition 3 (Share Efficiency) A trapdoor permutation is 
efficiently (polynomial time) share -translate -able when 1) 
given pu, multiplying elements and computing inverses in the 
message space Z> pu is polynomial time in A, 2) share space X S0 is 
a sample -able set / 3) the share space %,*(+) is an Abelian 
group such that given se one can perform the and inverses 
in polynomial time in h, and 4) may be found in 
probabilistic polynomial time, given se. 

A family of trapdoor permutations ?a is efficiently 
share-translate-able if almost every element in it is. 

Share translation and share efficiency do not, on 
their own, guarantee security. For the function sharing 
protocol to be secure, all of the information the adversary 
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receives must not allow it to break the system. To provide 
for security, all the information that the adversary would 
receive is simulate-able given public information. 

The share space is often not sample-able as, for 
instance, the RSA function where the share space of the 

trapdoor permutation could be = Z^ rt )( + ) ■ Leaking any 
information about (f> (n) may compromise security. Picking a 
random number in {0, . . . , 0 (n) -l} can be simulated by Z> pu = 
{0, . . . , u-l} using only public information in order to provide 
a means in which to simulate share distribution. 

The simulate-able property states that given public 
information only, one can, in polynomial time, simulate the 
actions of g (the shared function) and %** via a function z 
(the simulate-able function) and Z pu (the simulate-able share 
space) respectively. This can be stated as follows. 

Definition 4 (Simulate-able) Let ^pu f se; e ?h be the input to 
a function sharing primitive. We say that the shadow function 
generation phase is simulate-able for ?h when: 1) there exists 
a probabilistic polynomial time algorithm S x which, when given 
pu, returns a polynomial space description of Z pu (defined 
below) and a polynomial time algorithm Z; Z pa x V P u — > Z> pu , 2) 
there exists a probabilistic polynomial time algorithm S 2 : 

{0,l} b x (0,l} h x K m9 -» Z pv , such that f\ = Zt for 

k<-S2 (pu,se,k' ) ) , and 3) distributions {x\x Bp Z ptt } and {x\y €p 
X mm ; x<-S 2 (pu,se,y) } are statistically indistinguishable. 

A family of trapdoor permutations ?h is simulate - 
able if almost every element in it is. 



EXTENSIONS OF THE KEY SPACE 
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Discussed below is a definition of the extensions 
of the key space and how operations are performed on this key 
space . 

Definition 5 (Key Space Extension) Let Z[u] be an algebraic 
extension over the integers of degree m. The extended share 
space is the module Z*' 1 = X„ x— x 2T M (i.e., the direct product 
of m copies of over Z [u] . 

On can create an extension of which has the 
appropriate algebraic structure to perform Lagrange 
interpolation over any finite Abelian group uniformly for any 
/. Let f be a prime greater than or equal to 1 + 1 and ube a 

root of the cyclotomic polynomial p (x) = <x q -l) / (x-1) = Y*"V 
This defines an extended key space 5W" 1 = X # " x X„ » X- 
M/lPW)» the direct product of g - 1 copies of 5ST„. We 
consider as a module over Z[»] 2 Z[x] / (p(x) ) (i.e., the 
extension of integers with the element u) . 

Lemma 1: Let q be a prime greater than or equal to 1 + 1, and 
u be a root of the cyclotomic polynomial p(x) = (x g -l)/(x-l) = 

XyJ^ . Let Xi = X>o w> * Then (x i " x j }1 exists for 0</£/. 

Proof. Using the extended Euclidean algorithm [HW] (JT/)" 1 , 
l^i<l is computed since gcd( (u*-l) / (u-1) , (u'-l) / (u- 

i 

l)) = (iri^' t r/ , )/(i I .i)=i in Z[u], if-l| W-i, and q is a prime. 
Moreover, gcd(m-l, tr') =1 . From this it is easy to see that (jk>- 

Xj) = -l^o ifli ( ( u q ~ 2 -\ ) I (w-1) ) , for some q lt has an inverse for 
0</</. Therefore, this module has a scalar in which the Xt and 

Zv-1 ' 
' u v . This 

property is useful in creating a threshold scheme over this 
module . 
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Observe that (u*)' 1 = w' *. One can write elements X?' 1 as 
[&0, . , . ,<fc,. 2 ] and the identity element as [0,...,0], where 0 is 
the identity element of + Addition in 3S^" J ( + ) is defined 

as tio,...,4i,.2] + [fa ^. 2 ] = [Ab «. jfc 0 , . • . ,A*. 2 + k^i) . The 

scalar operation (* 0 + — + * ff _ 2 iw~ 2 ) • [J^ ir,_ 2 ] is defined 

recursively from [Ab J^. 2 ] = [A-J^ A J^. 2 ] for *e Z 

and »• [ir 0 ,^. 2 ] = [o,Jkb ,Afc. 3 ] + [-A*. 2 -Jk^ 2 ] . 

Definition 6 (Public Domain Extension) Let Z[u] be an 
algebraic extension over the integers of degree m. The 
extended public domain is the module V* 1 = V pu X**'XZ> pu (i.e., 
the direct product of m copies of Vjm) over Z[u] . 

WLOG, one can assume the public domain is 
multiplicative. Similarly one can write elements Z*' 1 as 
[xn 0 , . . . , m q . 2 ] and the identity element as [1, • • . , 1] , where 1 
is the identity element of Z> P n(*). Multiplication in Z>*" J (*) is 

defined as [m 0t . . . ,xn q . 2 ] * [ mo , - • • , m q -i ] = [^o* mo , - . . , xn q _ 

2*^-2] • The scalar operation 

[xn 0 , . . .,m q . 7 ] <*° + "* + b q -iu q 2 ) ig defined recursively from 
[xn 0 , . . . ,xn q _ 2 ] * = [mo iw{-2] for be Zand [xn 0 , . . . , zn*- 2 ] u = 

[l,xn 0 , . . . ,m q _ 2 ] * [ m'qli , . . . , m^] • 

The DDFY Threshold Cryptosystem 

Based on the theoretical basis set forth above, a 
general protocol can be implemented as follows. It will be 
appreciated that many variations in the manner of the use of 
algebraic extensions are possible and that similar techniques 
as with the use of finite geometry are also possible. For 
instance, extension over the integers in which there exists 
sufficient interpolation points x v such that and Xf. x t , 
where i * j , have inverses in the integer extension for all 
necessary interpolation points are usable. 
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Setup: Let £ k (>) be the function to be shared. Let q > 1 be a 
prime and u be a root of the cyclotomic polynomial p(x) e 

• Let * - SlV- 

Share distribution phase: A random "polynomial" r{x) = 

£T ffl [J*J is chosen such that r ([0 , . . . , 0] ) = [k, 0, . . . Q] and 
otherwise is random. It computes Si = t o ,o* • • • » Ct^-i ] = r(JK» . 
It then publishes ( z" ! , z pu ) <-S x (pu) and i's private share is Si 

= [Ci, 0 , . . . ,C/,j_ 2 ] where C/,/ = S> (pu, se, c, v ) . 

Shared function evaluation phase: To jointly sign for a 
message m, server i transmits partial results, S m j * 

[in, 1, , . . , 1] eP* to the combining function. Then the 
combining function calculates* 

V€A 

(2) 

and computes result [i£(zn),o,...,o] - T\* ^ ^ where 0 

represents an element in Z> p « which is not relevant. 

For a function which satisfies Definitions 2, 3, an 
4, the above is a secure and correct function sharing 
protocol. A. De Santis, Y. Desmedt, Y. Frankel and M. Yung, 
How to Share a Function Securely, ACM Proceedings of the 26th 
Annual symposium on Theory of Computing, ACM 1994, pp. 522- 
533. 

The advantage of this is that this protocol is 
completely non- interactive . The shadow-holders never need to 
communicate with each other, directly or indirectly. This is 
due to the fact that a shadowholder does not need to know the 
identity of the shadowholders which it will do the distributed 
function sharing operation with. In practice, this may be 
very beneficial. 
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Discussed below is a method by which the protocol 
is proactivized as the preferred embodiment for generalized 
functions, beginning with the simulatability condition. 

Definition 7 (Additive simulate-ability) : Let Zpu be the set 

of integers which contains Zpu • Moreover, there exists a 
polynomial time (in the length) predicate called Mem such that 

Mem (a) = TRUE if and only if a € Zpu • 

NOTE: it should be noted that Zpu and Zpu (as denoted by pu) 
are different than Z n the intergers modulo n. 

The proactivization technique is to use the 
function application as above except that the update phase the 
poly to sum (see the section entitled "Shares of Shares (Poly 
to Sum)" above) is followed by the sum to poly phase (see 
"Secure Proactive RSA" above) . For robustness one can use 
techniques analogous to the ones used for RSA based on Y. 
Frankel, P. Gemmell, P. Mackenzie and M. Yung, Witness Based 
Cryptographic Program Checking and Robust Function Sharing, 
Proceedings of the 28th Annual Symposium on Theory of 
Computing (" (FGY] " ) . 

Definition 8 (Simulate-able Space Extension) Let Z[u] be an 
algebraic extension over the integers of degree m. The 
extended public domain is the set with binary operation 

Z q 1 (+;= z|> u X"*xZpu (i.e., the direct product of m copies of 

4 

Z P u over Z[u) . 

WLOG, one can assume the simulate -able space is 
additive. Similarly one can write elements Z as [s 0# ...,f ff . 
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2 ). Addition in Z*' J ( + ) is defined as [s 0 s^ 2 ) + [ S o s q - 2 ] 

- ls 0 + £<> , . • . ,fff. 2 ♦ j v -2l- The scalar operation (£ 0 + "' + b 9 „ 2 w' 
2 ) [5 0# . . . ,s f2 ] is defined recursively from b* [s 0 , . . . ,s q . 2 ] = 
[b ' S ° ** 5 *-* ] for * € Zand u- [s 0 s q _ 2 ] = [o,s 0 + 

[-5 ff . 2/ . . . , -Sf_ 2 ] . 

OTHER FUNCTIONS 

Proactive cryptosystems can also be based on 
cryptographic functions using discrete logarithms, including 
those defined over a composite. Hence for instance, El Gamal 
encryption can have an optimal resilience proactive system. 
RSA based variants such as elliptic curve RSA also have 
sufficient algebraic properties to be made proactive in 
accordance with the present invention. 

POLY TO SUM WITH DDFY 

Discussed below is a poly to sum method for the 
proactivization based on [DDFY] . . Define selection function 

C i as cr/( \sof—,Sq-i) ) = Si • 

Setup: Assume that the dealer during share distribution 
publishes an element g= [g' , l , . . . , i] such that g> <= Z> pu is of 

maximal order and it publishes S/= g 5 * for all /. Let A where 

|A| = t be the shareholders (servers) participating in the 
share of shares protocol. 

Sharing Shares: Server /. 



Generates r/ y Zj 
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• Privately, transmit using probabilistic encryption 
over the public channel (an act which also publicly 
commits to the message) rtj to server j. 

• Sets the self-held share to be r iti = Go (y iK • si) - 
^A\ui ri ' J G Z pu ' (JVa as in equation (2)). 

• Publish Rtj = g Vii . 

Verify and generate shares: Let fij be the share received by J 
from /. 

l. Each server J verifies that for all ieA \ ffj : 

v * = el™ • 

If the verification does not pass then 
server / is removed and new A is chosen. 

? ? 
• for Memfri^) = True and g riJ = Rtj 



If verifications are disputed by j, then 
Tij is revealed (decommited) , and either / 
or j is removed appropriately. The 
protocol is halted. 



2. If all verifications pass, shadowholder ' s /new 
shadow is sj = X/ca^* 7 * 

THE PROACTIVIZED DDFY PROTOCOL 

Share distribution (setup) Let U- 0. 
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Let k g *Kmm be the secret and let f k C) be the 
function to be shared. Let q > J be a prime, if be a root of 

the cyclotomic polynomial p(x) = X^r 7 and x, = J^//. 

The dealer chooses a random "polynomial" r{x) = 

Z'Jo"'*' W such that r({0 0]) = [*,0 0] and 

otherwise is random. It computes s ] = lc],o c iJf - 2 ) = rUry) . 

It publishes (z l , Z pv ) <-S x (pu) and privately transmits to 

server / share 5/ = [c,, 0 c ,,,. 2 ] where * = fci.o c[ q - 2 J and 

c ij = 3>(pu, se, C/J ], The dealer publishes an element g = 
t£? ,1, ... ,1] such that g' e Z> pri is of maximal order and it 
publishes 5/ = g* for all / . 

Update period: Let U <- £T + 1. 

1. Perform the "poly to sum" share of shares protocol 
(Section entitled "Poly to Sum with DDFY " ) with 
shares from time U-l, s iJU _ x , until a set of t 
shadowholders defined by A have no dispute and 

agree to shares their respective s] . 

2. Perform the "sum to poly" share of share protocol: 

(a) Each Ie A shares its 5, by generating a random 
polynomial r, (*) = St + Za Tm \ a ^ x of degree t = 

1 with coefficients a*.* e*Zff~ J . 

(b) Server / e A then publishes all the g° lv and 

privately transmits w u = r \ (Xj) for Je {1,.. M J}. 

(c) Each server / verifies: 

• Similar to [F] verify: 
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•> 

g" M »,■ T-r'-' a 3i -") lXj)V 

s 7 [ | rn) * ' where witness 

t 

9 Sl s ri/eA is 9 enerated from public values 

i (Section entitled "Shares of Shares (Poly to 
Sum") . 

(d) Then dispute resolution is performed. 
Detected faulty and corrupted systems are 
rebooted and the share renewal process 
continues from the beginning until there are 
not disputes. 

(e) Now 5/ (U = y Erase previous history 

and retain new current shadow s§ v. The g s uu 
are computed using the gwj . 

The size of the w itj is sent via packets (fields) 
which are of fixed size large enough in order to prevent an 
attack in which the adversary sends such large shares that the 
shareholder can not compute with efficiently. 

Shared function application: Let time be U. Performed as the 
[DDFY] scheme as presented in the section titled "The DDFY 

Threshold Cryptosystem" ) with shadow Si.e except that servers 
keys are in x * • • x rather than Zp« x • • • x Zpu ■ 
robustness, use [FGY] protocol using witness gSuu . 

The embodiments described herein use relatively 
efficient constructions that are based on servers evaluating 
and transmitting cryptographic functions' values. The 
techniques of the present invention can also be applied to 
less efficient communication constructions characterized by 
the theoretical notion of "secure circuit evaluation," where 



WO 98/49804 m PCT7US98/08299 

(36) 

the theoretical notion of "secure circuit evaluation, " where 
the communication is proportional to the size of circuits 
computing the cryptographic functions. 

Another application of the "proactive model" is a 
flexible key management of shareholders in a function sharing 
scheme . It enables to change the set of shareholders during 
the refreshing period by giving the recovered new share to a 
new server, rather than the old one. The protocols of the 
present invention extend this capability, and enable dynamic 
changes of the threshold value as well. 

The previous discussion addressed certain "size 
parameters" (e.g., length of keys and of shares of keys etc.). 
It is contemplated that one would choose size, or relative 
size, of keys according to a notion of "security level" and 
its tradeoff against "performance level.' ' For increased 
security one would choose a longer set of keys, and a longer 
key takes more memory space and more computation time to 
calculate. The size parameters can be varied. as a system's 
parameter providing higher security when increased, or higher 
performance when decreased. 

Other examples of applications of the present 
invention include: 1) as a certification authority where the 
distributed system is used to produce certificates based on 
authorized inputs, and 2) as an escrow agency in which 
shareholders are escrow agents, and a plurality of escrow 
agents are needed to create a dencryption of authorized 
cyphertext to be taken off escrow. 

The embodiments described herein are intended to be 
illustrative and not limiting. It will be appreciated that 
many variations are possible within the scope and spirit of 
the invention. 
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1 . A method for performing computations on an input to 

generate an output, said computation defined by a particular 
instance of first function family, the method comprising the 
steps of : 

reexpressing the instance of the first function 
family as a first plurality of instances of alternative 
function families; 

at each of a plurality of distinct locations, 
applying an instance the alternative function family to the 
input to generate a plurality of partial result; 

combining the partial results to obtain a final 

result ; 

wherein the final result is the same result as would 
be obtained by applying the instance fo the first function 
family to the input; and 

reexpressing the instance of the first function 
family as a second plurality of instances of alternative 
function families and applying the second plurality of 
instances to inputs, such that 

. (1) at differing times, a location applies instances 
of differing function families, and 

(2) combining partial results of applying each of 
the second plurality of instances of the alternative function 
families to the input produces a result that is the same as 
would be obtained by applying the instance of the first 
function family to the same input. 
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